Security configuration
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
@Order(1)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.cors(Customizer.withDefaults())
.authorizeHttpRequests(authz -> authz
.requestMatchers(HttpMethod.POST, "/oauth2/jwks").hasAuthority("SCOPE_keys.write"))
.securityMatchers(matchers ->
matchers.requestMatchers(antMatcher("/oauth2/**"), authorizationServerConfigurer.getEndpointsMatcher()))
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer.oidc(Customizer.withDefaults())) // Enable OpenID Connect 1.0
// Redirect to the login page when not authenticated from the
// authorization endpoint
.exceptionHandling((exceptions) -> exceptions
.defaultAuthenticationEntryPointFor(
new LoginUrlAuthenticationEntryPoint("/login"),
new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
))
// Accept access tokens for User Info and/or Client Registration
.oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()));
return http.build();
}
@Bean
@Order(2)
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
throws Exception {
http
.cors(Customizer.withDefaults())
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/login", "/error", "/main.css")
.permitAll()
.anyRequest().authenticated()
)
// Form login handles the redirect to the login page from the
// authorization server filter chain
.formLogin((login) -> login.loginPage("/login"));
return http.build();
}
}
Clients Registration
@Configuration
public class Clients {
@Bean
public RegisteredClientRepository registeredClientRepository() {
RegisteredClient oidcClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("stomble")
.clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
.authorizationGrantTypes(types -> {
types.add(AuthorizationGrantType.AUTHORIZATION_CODE);
types.add(AuthorizationGrantType.REFRESH_TOKEN);
})
.redirectUris(redirectUri -> {
redirectUri.add("http://localhost:4200/");
redirectUri.add("https://oauth.pstmn.io/v1/callback");
redirectUri.add("http://localhost:4200/assets/silent-renew.html");
redirectUri.add("http://localhost:4200/auth-callback");
})
.postLogoutRedirectUri("http://localhost:4200/")
.scopes(score -> {
score.add(OidcScopes.OPENID);
score.add(OidcScopes.PROFILE);
score.add(OidcScopes.EMAIL);
})
.clientSettings(ClientSettings.builder()
.requireAuthorizationConsent(false)
.requireProofKey(true)
.build())
.build();
return new InMemoryRegisteredClientRepository(oidcClient);
}
}
Angular App
fetch("http://127.0.0.1:5100/oauth2/token", {
"headers": {
"accept": "application/json",
"accept-language": "en-US,en;q=0.9",
"content-type": "application/x-www-form-urlencoded",
"sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": "\"macOS\"",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "cross-site"
},
"referrer": "http://localhost:4200/",
"referrerPolicy": "strict-origin-when-cross-origin",
"body": "grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fauth-callback&code=2y8jZGgxjkicK4kIxDTBfgS7gC7dm6yVDRpgRSL8f_eRCf0qe6zrO67q1S0xzl0DX5HD3quSGeSCRr59hSWQC8D7bfINM-YME4L8CcNAelx1KiKvLk5X6UUwgOQoCLps&code_verifier=0d335bff326449bfbaeeb1cc14ef005fae3ac7af0a6e4a9096c48b23988c8ad2206bae4ee2a64f5a975000b39ef8545f&client_id=stomble",
"method": "POST",
"mode": "cors",
"credentials": "omit"
});
Network response
Request URL:
http://127.0.0.1:5100/oauth2/token
Request Method:
POST
Status Code:
403 Forbidden
Remote Address:
127.0.0.1:5100
Using oidc-client.ts library with below configuration https://github.com/authts/oidc-client-ts
openID = {
authority: 'http://127.0.0.1:5100',
client_id: 'stomble',
redirect_uri: 'http://localhost:4200/auth-callback',
post_logout_redirect_uri: 'http://localhost:4200',
response_type: 'code',
scope: 'openid profile email',
automaticSilentRenew: false,
silentRenewUrl: window.location.origin + '/assets/silent-renew.html',
renewTimeBeforeTokenExpiresInSeconds: 10,
autoUserInfo: false,
};
Authentication server logs
logging.level.org.springframework.security.oauth2=trace
server.port=5100
logs
2024-12-03T22:43:02.952+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (7/26)
2024-12-03T22:43:02.952+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match And [CsrfNotRequired [TRACE, HEAD, GET, OPTIONS], Not [Or [Or [Or [Ant [pattern='/oauth2/token', POST], Ant [pattern='/oauth2/introspect', POST], Ant [pattern='/oauth2/revoke', POST], Ant [pattern='/oauth2/device_authorization', POST]], Ant [pattern='/.well-known/oauth-authorization-server', GET], Or [Ant [pattern='/oauth2/authorize', GET], Ant [pattern='/oauth2/authorize', POST]], Ant [pattern='/oauth2/token', POST], Ant [pattern='/oauth2/introspect', POST], Ant [pattern='/oauth2/revoke', POST], Ant [pattern='/oauth2/device_authorization', POST], Or [Ant [pattern='/oauth2/device_verification', GET], Ant [pattern='/oauth2/device_verification', POST]], Or [Ant [pattern='/.well-known/openid-configuration', GET], Or [Ant [pattern='/connect/logout', GET], Ant [pattern='/connect/logout', POST]], Or [Ant [pattern='/userinfo', GET], Ant [pattern='/userinfo', POST]]], Ant [pattern='/oauth2/jwks', GET]], org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer$BearerTokenRequestMatcher@691500ab]]]
2024-12-03T22:43:02.953+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking OidcLogoutEndpointFilter (8/26)
2024-12-03T22:43:02.953+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (9/26)
2024-12-03T22:43:02.953+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2024-12-03T22:43:02.953+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationServerMetadataEndpointFilter (10/26)
2024-12-03T22:43:02.953+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationEndpointFilter (11/26)
2024-12-03T22:43:02.953+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking OAuth2DeviceVerificationEndpointFilter (12/26)
2024-12-03T22:43:02.953+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking OidcProviderConfigurationEndpointFilter (13/26)
2024-12-03T22:43:02.953+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking NimbusJwkSetEndpointFilter (14/26)
2024-12-03T22:43:02.953+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking OAuth2ClientAuthenticationFilter (15/26)
2024-12-03T22:43:02.954+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.authentication.ProviderManager : Authenticating request with JwtClientAssertionAuthenticationProvider (1/20)
2024-12-03T22:43:02.955+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.authentication.ProviderManager : Authenticating request with X509ClientCertificateAuthenticationProvider (2/20)
2024-12-03T22:43:02.955+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.authentication.ProviderManager : Authenticating request with ClientSecretAuthenticationProvider (3/20)
2024-12-03T22:43:02.955+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.authentication.ProviderManager : Authenticating request with PublicClientAuthenticationProvider (4/20)
2024-12-03T22:43:02.955+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] s.a.a.PublicClientAuthenticationProvider : Retrieved registered client
2024-12-03T22:43:02.955+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] s.a.a.PublicClientAuthenticationProvider : Validated client authentication parameters
2024-12-03T22:43:02.955+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.o.s.a.a.CodeVerifierAuthenticator : Retrieved authorization with authorization code
2024-12-03T22:43:02.956+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.o.s.a.a.CodeVerifierAuthenticator : Validated code verifier parameters
2024-12-03T22:43:02.956+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.o.s.a.a.CodeVerifierAuthenticator : Authenticated code verifier
2024-12-03T22:43:02.956+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] s.a.a.PublicClientAuthenticationProvider : Authenticated public client
2024-12-03T22:43:02.956+11:00 DEBUG 41205 --- [identity] [nio-5100-exec-9] o.s.a.w.OAuth2ClientAuthenticationFilter : Set SecurityContextHolder authentication to OAuth2ClientAuthenticationToken
2024-12-03T22:43:02.957+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking BearerTokenAuthenticationFilter (16/26)
2024-12-03T22:43:02.957+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] .s.r.w.a.BearerTokenAuthenticationFilter : Did not process request since did not find bearer token
2024-12-03T22:43:02.957+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (17/26)
2024-12-03T22:43:02.957+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.w.s.HttpSessionRequestCache : matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2024-12-03T22:43:02.957+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (18/26)
2024-12-03T22:43:02.957+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (19/26)
2024-12-03T22:43:02.957+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (20/26)
2024-12-03T22:43:02.957+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (21/26)
2024-12-03T22:43:02.957+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] estMatcherDelegatingAuthorizationManager : Authorizing POST /oauth2/token
2024-12-03T22:43:02.958+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] estMatcherDelegatingAuthorizationManager : Denying request since did not find matching RequestMatcher
2024-12-03T22:43:02.959+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.w.a.AnonymousAuthenticationFilter : Did not set SecurityContextHolder since already authenticated OAuth2ClientAuthenticationToken [Principal=stomble, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[]]
2024-12-03T22:43:02.959+11:00 TRACE 41205 --- [identity] [nio-5100-exec-9] o.s.s.w.a.ExceptionTranslationFilter : Sending OAuth2ClientAuthenticationToken [Principal=stomble, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[]] to access denied handler since access is denied
org.springframework.security.authorization.AuthorizationDeniedException: Access Denied
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:99) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:128) ~[spring-security-oauth2-resource-server-6.4.1.jar:6.4.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter.doFilterInternal(OAuth2ClientAuthenticationFilter.java:144) ~[spring-security-oauth2-authorization-server-1.4.0.jar:1.4.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter.doFilterInternal(NimbusJwkSetEndpointFilter.java:88) ~[spring-security-oauth2-authorization-server-1.4.0.jar:1.4.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter.doFilterInternal(OidcProviderConfigurationEndpointFilter.java:91) ~[spring-security-oauth2-authorization-server-1.4.0.jar:1.4.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.oauth2.server.authorization.web.OAuth2DeviceVerificationEndpointFilter.doFilterInternal(OAuth2DeviceVerificationEndpointFilter.java:152) ~[spring-security-oauth2-authorization-server-1.4.0.jar:1.4.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter.doFilterInternal(OAuth2AuthorizationEndpointFilter.java:175) ~[spring-security-oauth2-authorization-server-1.4.0.jar:1.4.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationServerMetadataEndpointFilter.doFilterInternal(OAuth2AuthorizationServerMetadataEndpointFilter.java:90) ~[spring-security-oauth2-authorization-server-1.4.0.jar:1.4.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.oauth2.server.authorization.oidc.web.OidcLogoutEndpointFilter.doFilterInternal(OidcLogoutEndpointFilter.java:105) ~[spring-security-oauth2-authorization-server-1.4.0.jar:1.4.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.AuthorizationServerContextFilter.doFilterInternal(AuthorizationServerContextFilter.java:69) ~[spring-security-oauth2-authorization-server-1.4.0.jar:1.4.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.4.1.jar:6.4.1]
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:243) ~[spring-webmvc-6.2.0.jar:6.2.0]
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:238) ~[spring-security-config-6.4.1.jar:6.4.1]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278) ~[spring-web-6.2.0.jar:6.2.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.2.0.jar:6.2.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.0.jar:6.2.0]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:397) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.33.jar:10.1.33]
at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na]
Same issue from Postman as well
You are receiving an AccessDeniedException due to authorization failure. The default is denyAll(), and you do not have a default rule to override it. Add .anyRequest().authenticated() to your authorizeHttpRequests() to fix this problem.